Reposted to VIM with Marko's permission.
---------- Forwarded message ----------
From: "[iso-8859-1] Marko Seppänen" <smarko at hoito.org>
To: news at theregister.co.uk, toimitus at digitoday.fi
Cc: info at ns-research.jp, webmaster at osvdb.org, cve at mitre.org, xforce at iss.net,
ktownsend at itsecurity.com, vuln at security.nnov.ru, nvd at nist.gov,
tietoturva at ficora.fi
Date: Fri, 26 May 2006 03:52:12 +0300
Subject: Article suggestion: "wannabe security group members" doing harm to
software developers
(NLST, Security Advisory, ITSecurity.com, ISS, CVE, OSVDB and NetSecurity.. I'm
kindly asking you to remove the mention about security flaw in software product
developed by me, as that information is incorrect. Related links are listed
near the end of this message.)
---
Hello,
I'd like to suggest you an article titled "Wannabe security group members
doing harm to software developers". To put it short, person with nickname
r0t, belonging to "security crew" named Pridels, have claimed on their blog,
that my PHP-based product contain security flaw. That claim is false. I'll
explain this in more detail in next section.
http://hoito.org/en/greenminute (full version to test)
The way he comments his actions and declines to release my comments
(the second one) in his moderated blog is kind of proof about what type of
person he is. It would be fruitless to make any further contact with him.
I would be worried, if this r0t-person is more interested in trying to
gather fame by adding something new to a list of software titles, he has
touched with his "security gloves", than doing acceptable security related
work. I would be even more worried, if that would be common practise in
"security scene". To collect name and fame among others, I mean.
THE CLAIM
http://pridels.blogspot.com/2006/04/green-minute-sql-inj-vuln.html
The claim was this: "Multiple SQL injection vulnerabilities in
userscript.php in Green Minute 1.0 and earlier allow remote attackers to
execute arbitrary SQL commands via the (1) huserid, (2) pituus, or (3) date
parameters."
Well, those parameters mentioned ARE checked (preg_match) before they are
used in SQL-query, so where's the security flaw? Basically, this r0t-person
haven't bothered to check things carefully and have just made a guess.
Naturally, he didn't bother mention anything to me.
If someone decided to add SQL-injection stuff to certain parameter, they
would see an error text, but only because _nothing_ was passed inside that
parameter (to MySQL-database). Yes, I should have made that text hidden or
replace it with something else. This applies to few cases, but it certainly
can not be called as "security flaw".
ABOUT THE CLAIMER
Claimer's nick: r0t
Blogger-profile: 15 years, Finland, Turku (maybe true, maybe not)
Url: http://pridels.blogspot.com/2006/04/green-minute-sql-inj-vuln.html
His blog-comments (in above url) are moderated and he have decided to not
release the second comment I made (over 2 weeks ago). That way he can try to
leave any impression he wants (fits in schema I see about him). My second
comment would have been:
"The way you decided to choose words to your answer, proves to me, that you
haven't grown to a person willing to take enough responsibility of your
actions. Also, please don't call yourself a security expert, if you can not
discern real security threat from from "unnecessary textual information." And
if you later found something really dangerous and you are sure about it, let
me know about it and don't just write about it here. That's what responsible
security expert would do." (He did call himself a security expert.)
His actions remind me of people, who are "collecting fame" among other
"security experts" (with nick names like rgod, waraxe, nukedx, g0df4th3r,
[Oo] and str0ke). Or maybe he wants to show to everybody how many software
products he has checked through (or should I say "has touched"?). See:
http://www.security.nnov.ru/source12948.html (I'm not going test any of
those other titles on his list, but that shouldn't make this message
meaningless. If you think that the subject is worth the
article, maybe you would be interested in that kind of research?).
THE FALSE CLAIM HAVE REACHED MULTIPLE SECURITY SITES
The security "alert" have been posted atleast to these sites:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1930http://www.security.nnov.ru/Mdocument327.htmlhttp://www.itsecurity.com/security.htm?s=15488http://xforce.iss.net/xforce/xfdb/25942http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2006-1930http://www.osvdb.org/displayvuln.php?osvdb_id=25207https://www.netsecurity.ne.jp/6_6549.html
I've downloaded relevant pages from those sites and put them to this
.zip-archive:
http://hoito.org/en/sosaidsecurityflaw.zip
BACKGROUND INFORMATION ABOUT THE AUTHOR
As background information I can tell, that I'm mediatechnology student in
polytechnic, studing programming and other subjects. The Green Minute was my
first "bigger" product. I've learned a lot while coding it and there's a lot
of things, I now would want to do otherwise, but that claim about security
flaw is still rubbish.
BOTTOM NOTE
These kinds of false "security alerts" will weaken the credibility of real
security experts and their work. If this is common in "security scene", such
actions might also raise unnecessary fears among general people toward
privacy issues related to internet (because it increases security issue
count). It also seems to be too easy make false security claims like this
and get that information published in multiple sites. But still, with my
mind in neutral mode, I'm kindly asking sites having that information, to
remove it.
Yours,
Marko Seppänen
Hoito.org - http://hoito.org